The Case of the Missing strcpy

For some of you this may be elementary, but it wasn't for me. I'm working on a tool that parses and scans ELF binaries, which I am going to release soon, and to test it I made a C program with the various things it scans for.

One of those things for demonstration purposes was the use of strcpy(). (one of the many things the tool does is look for the use of potentially vulnerable functions by disassembling the ELF binary). Here is a snippet of the code:

char buffer[10];

strcpy(buffer, "This string is too long for the buffer");

I haven't been paying attention so I don't know when GCC added the reason strcpy was missing, (probably a decade ago, give me a little break for missing it, I've been consulting, managing people, and raising VC during that time), but my tool couldn't find it. I disassembled my binary:

Disassembly of section .plt.sec:

00000000000010b0 <puts@plt>:

10b0:    f3 0f 1e fa       endbr64

10b4:    f2 ff 25 e5 2e 00 00  bnd jmp *0x2ee5(%rip)    # 3fa0 <puts@GLIBC_2.2.5>

10bb:    0f 1f 44 00 00     nopl  0x0(%rax,%rax,1)

<---snip--->

00000000000010d0 <printf@plt>:

10d0:    f3 0f 1e fa       endbr64

10d4:    f2 ff 25 d5 2e 00 00  bnd jmp *0x2ed5(%rip)    # 3fb0 <printf@GLIBC_2.2.5>

10db:    0f 1f 44 00 00     nopl  0x0(%rax,%rax,1)

But no strcpy()

I loaded it in IDA to look for it and can't even find the string that strcpy is copying:

So then I tried removing optimizations with gcc -O0 but no luck. Then I discovered this little argument called -fno-builtin. Recompiled it and then disassembled it to look for the missing strcpy:

There it is. GCC was optimizing it out of the binary and -O0 wasn't enough to stop it. Finally I ran my tool:

And hence the mystery of the missing strcpy was solved! Stay tuned for a demo article of the tool and a release on the Red Crow Lab GitHub.

Thanks for reading,

A.